From minimal use just a few short years ago, containers, and most notably Docker, has gained nearly 30% penetration. This container penetration is primary with DevOps; but it crosses production environments and all sizes of environments. Unfortunately, with early adoption there was less of a focus on security. This has been rectified over the past year or so, with security solutions for images, containers, and orchestration now available. However, any container security solution must be agile enough to echo the speed at which containers are created and destroyed if the chance of a breach is to be minimized. Legacy scanning architectures won’t suffice.
A solution should support the complete lifecycle, from image scanning, through hardening of the container itself, to securing the orchestration layer. The diagram below depicts these steps. First, the developer pulls the latest image from a selected private or public registry. This image is scanned for vulnerabilities and patched, and then the developer may work with it, later passing it back to the registry. The registry informs the staging environment, which pulls this and other secure images from the registry, and then invokes a container engine such as Docker to compile them together and create the container. Though assumed to be secure, this container must also be brought into the security process, with the underlying server, VM, and the container itself analyzed for risk. The analysis includes the various CIS and NIST benchmarks and frameworks as well as any regulatory guidelines. Once verified, it can be pushed into production. Finally, but in parallel to this, hardening of any orchestration system should occur, in this case, with Kubernetes.
To learn more about implementing Docker security (or Kubernetes security) in a hybrid infrastructure visit our solutions page, securing the container lifecycle from the beginning. Cavirin has taken a leadership role securing the container lifecycle, including co-authoring both Docker and Kubernetes Security Benchmarks from the beginning.
